Enguehard, Marcel

Abstract [en]

Middleboxes are essential to the functioning of today's internet. They are for instance used to secure networks, to enhance performances (e.g., throughput, scalability or end-user latency) or to monitor traffic. Although middleboxes are usually deployed through expensive dedicated hardware, the past 15 years has seen the emergence of a new paradigm: network function virtualisation (NFV). In the NFV context, middleboxes are implemented in software on commodity hardware, thus reducing costs and increasing flexibility. Some of the most recent work even boast performances that are equals to those of hardware middleboxes (e.g., line-rate throughput).

However, none of the frameworks that we could find were suited to implement chains of virtualised middleboxes. Indeed, it is often the case that a packet must cross numerous middleboxes when traversing the internet. In order for an NFV deployment to scale out and reduce the network overhead, one would wish to be able to deploy all these middleboxes on the same physical machine. We provide an evaluation of a state-of-the-art NFV framework that shows that the throughput of a chain of 8 middleboxes running on the same server can be as much as 5 times smaller than the throughput of a single middlebox. We then introduce Hyper-NF, a new NFV framework specifically designed for implementing chains of virtualised middleboxes. Hyper-NF eliminates redundant packet and I/O operations. Given a chain of middleboxes, it uses graph search and set theory to generate a single equivalent middlebox that only uses one read and one write operation per packet.

Experimentation with middlebox deployments inspired from real-world use cases shows that Hyper-NF achieve constant throughput and latency despite the increasing number of chained middleboxes. Thus, it achieves considerably better performances than traditional deployments. On a chain of 8 virtualised middleboxes, Hyper-NF has a 5 times higher throughput, a 10 times lower latency and uses 8.5 times less CPU cycles per packet.